California Data Breach Law Defines Disclosure Requirements

California Gov. Jerry Brown signed into law a bill that defines exactly what organizations have to disclose in case of a data breach.

California has updated its data breach notification law to further define what organizations have to do in case customer data is stolen.

The bill, SB-24, updates California's current data breach notification law by requiring organizations to include in the breach notification letters the specifics of the security incident and advice on steps customers should take. The bill also includes provisions mandating that if the security breach affected 500 or more people, the organization must submit a copy of the letter to the state attorney general's office. The bill was signed into law Aug. 31 by Gov. Jerry Brown and will take effect on Jan. 1, 2012.

The breach notification letters must include information such as the type of personal information exposed, a description of what happened, time of the breach, and toll-free telephone numbers and addresses of major credit reporting agencies in California, according to the new law. The original law did not specify what information had to be included in the letters. The new law also requires the letters to be sent "in the most expedient time possible and without unreasonable delay."

"No one likes to get the news that personal information about them has been stolen," said State Sen. Joe Simitian (D), the bill's sponsor. "But when it happens, people deserve to get the information they need to decide what to do next."

About 28 percent of data breach victims receiving a security breach notification letter "do not understand the potential consequences of the breach after reading the letter," Simitian said, referring to a recent survey by the Samuelson Law, Technology & Public Policy Clinic at the University of California, Berkeley.

Any organization that stores any kind of personal information must send out notification letters as soon as it discovers a security breach in which "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, according to the new law. If the law enforcement agency involved decides that disclosing the breach and notifying the victims would impede the criminal investigation into the incident, then the notification "may be delayed."

"Recently, we ve see an increase in pressure for companies involved in data breach to report increasingly specific data, and in an increasingly timely manner, this effort from California legislation appears poised to do just that," wrote Cameron Camp, a security researcher at ESET, on the ESET Threat blog.

California was the first state to pass a law eight years ago requiring companies to alert California residents if their personal data was accessed illegally in a data breach. Since then, nearly all the other states have followed suit with their versions of that law. All the states have slightly different requirements, resulting in President Obama to request a national data breach notification law so organizations don't need to negotiate a "patchwork of 47 state laws." There are multiple data breach notification bills currently circulating in the House of Representatives and the Senate.